Re: [Pki-devel] [Freeipa-devel] [PATCH] - Add DRM to IPA
On 7/14/2014 4:45 AM, Ade Lee wrote:
Hi all,
I have rebased all the previous patches against master, and have squashed them all into a
single patch.
Its a large patch, but as many folks have already reviewed the constituent precursor
patches, most if it
should be familiar and easier to review.
The main difference with what was specified before is that the DRM database is installed
as a subtree
to o=ipaca. This means that no new replication agreements will be needed to replicate
DRM data.
Replication agreements set up for the Dogtag CA will automatically replicate DRM data.
In order for this patch to work, a new 10.2 build of Dogtag 10.2 is needed - with
specific changes to
allow the ability to install a database as a subtree of an existing tree. At this time,
these
changes have not yet been checked into the dogtag source. You can obtain such a build
from:
http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
Please review,
Thanks,
Ade
Some comments/questions:
1. The suffix for the DRM is o=ipadrm,o=ipaca. It's probably better to
change it to ou=drm,o=ipaca since another "ipa" under o=ipaca would be
redundant. In the future we might want to migrate the current CA entries
into ou=ca,o=ipaca subtree so that ou=ca and ou=drm will be at the same
level, and keep o=ipaca as the parent tree for Dogtag subsystems.
Alternatively, we probably could merge o=ipaca and o=ipadrm since the
structure of each tree seems to have been designed to share the user and
groups, but still maintain separate structure for CA/KRA-specific
storage. The current Dogtag probably doesn't support this, but it's a
possibility with additional works.
2. If a clone doesn't have DRM installed but it's getting replicated DRM
data, is there any concern?
3. The Dogtag dependency should be updated to 10.2. Also the
dogtag_version and DOGTAG_VERSION variables are probably not granular
enough to detect the minor version. This message should be updated too:
Dogtag must be version 10.1 or above to install DRM
4. It's probably unnecessary to override the following methods in
CAInstance since they only call the base methods.
* enable()
* start_instance()
* stop_instance()
* restart_instance()
* http_proxy()
5. The following code in ipaserver/plugins/dogtag.py will no longer work
due to a recent change in Dogtag:
transport_cert = kraclient.system_certs.get_transport_cert()
tcert = transport_cert[
len(pki.CERT_HEADER):
len(transport_cert) - len(pki.CERT_FOOTER)]
crypto.import_cert(
self.transport_nick,
base64.decodestring(tcert), "u,u,u")
This is how it's used now in drmtest.py:
transport_cert = kraclient.system_certs.get_transport_cert()
print "Subject DN: " + transport_cert.subject_dn
print transport_cert.encoded
crypto.import_cert(transport_nick, transport_cert, "u,u,u")
6. The code in ipaserver/install/drminstance.py creates a file
/tmp/drm.p12. How long will this file stay in the /tmp folder? Should it
be moved into a more permanent location? If it's a temporary file, can
we use the python tempfile module?
--
Endi S. Dewata